[ntp:security] SSL problems with support.ntp.org

Kurt Seifried kseifried at redhat.com
Thu Oct 30 00:38:49 UTC 2014


On 29/10/14 05:34 PM, Harlan Stenn wrote:
> Kurt Seifried writes:
>> no prob, assuming you're using apache or haproxy or something else
>> Linux/UNIXy I'm happy to help out with best config recommendations/etc,
>> in general you want
>>
>> protocols: TLS 1.0/1.1/1.2
>> ciphers:
>> EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH=
>> +RC4:RSA+RC4:!MD5;
>>
>> this provides backwards compat for older clients (like IE6 on XP), if
>> you are willing to dump that then get rid of the
>> "EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4"
> 
> We're running FreeBSD and apache.
> 
> We're trying to find a better way to handle certificate updates.
> 
> We use CAcert certificates; I'm an assurer so my certs are good for 2
> years' time.  We're working on getting org-level certification from
> them, which will get us some additional information in our certs.

My concern with CAcert would be that virtually nobody supports it:

http://wiki.cacert.org/InclusionStatus

If you are using SSL/TLS for the purpose of protecting traffic, CACert
is a less than optimal choice since virtually no browser (at least that
I'm aware of, or the CACert docs indicate) supports it by default. The
reality is that CACerts are pretty cheap now, you can get them for about
$8-9/year for domain validated per hostname, and 80-90$/year for
wildcard (which can be handy configuration wise, just having a single
cert to deal with).

> As for getting rid of some of the older methods, if there is a way we
> can see how much use they are getting that would help.  I'm all for
> making things better.

Honestly with the SSL 3 thing you can pretty safely disable it and most
of the older ciphers, any browser new enough to support SNI will support
TLS/AES and so on. CloudFlare disabled SSL v3 for ~4 million sites, the
only people losing out are WindowsXP with IE6, and if they're stuck with
that and no alternative browsers they are hosed anyways. There would
obviously be some older devices/etc, for the cloudsecurityalliance.org I
set it up so any browser not supporting SNI (aka really old browsers)
went to a default site and in 2 months or so I only saw 2 web  crawlers
and something claiming to be an old blackberry. And this was 3 years ago.

> Anything you want to do to help would be appreciated!
> 
> H
> 

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntp.org/private/security/attachments/20141029/24f54f7c/attachment.sig>


More information about the security mailing list